Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacktool.rootkit Filename: C:\windows\system32\mowdhhqw.idf


  • Please log in to reply
13 replies to this topic

#1 tiren99

tiren99

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 23 June 2006 - 04:01 PM

I ran hijack this but don't have a clue how to read log. Would someone please help me out on this. Have a Hacktool.Rootkit filename: c:\WINDOWS\system32\mowdhhqw.idf on my system and cannot get it removed. Thank you in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:39:03 PM, on 6/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [No Spy] "C:\Program Files\SinEspias\No-Spy.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.yahoo.com/
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121830780046
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686744A7-C6A5-459A-A63C-9FB3B517E13B}: NameServer = 85.255.115.53
O17 - HKLM\System\CCS\Services\Tcpip\..\{68D286DC-FD59-429E-99C9-199D5D1BB5DF}: NameServer = 85.255.115.53
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC9EDBEF-6DF7-4514-AE03-688F74BC0A5A}: NameServer = 85.255.115.53
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2006 - 04:10 AM

Hi tiren99 and Welcome to the Bleeping Computer!


Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Please wait until Safe Mode to run Ewido!


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer,Reboot into SAFE MODE(Tap F8 when restarting)
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads-> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

    O17 - HKLM\System\CCS\Services\Tcpip\..\{686744A7-C6A5-459A-A63C-9FB3B517E13B}: NameServer = 85.255.115.53

    O17 - HKLM\System\CCS\Services\Tcpip\..\{68D286DC-FD59-429E-99C9-199D5D1BB5DF}: NameServer = 85.255.115.53

    O17 - HKLM\System\CCS\Services\Tcpip\..\{CC9EDBEF-6DF7-4514-AE03-688F74BC0A5A}: NameServer = 85.255.115.53

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Once in safe mode Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 85.255.115.53
IpDns2Address = 85.255.115.53
IpNameAssign = 2



Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido and Panda

#3 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 30 June 2006 - 09:02 AM

Thank you for your help Cretemonster as it seems to have removed or help my problem as my computer is not doing what it was before. Here are the new reports from hijackthis, Panda and ewido you asked me to post.

Logfile of HijackThis v1.99.1
Scan saved at 8:52:37 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Norton Internet Security\ccEmFlSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [No Spy] "C:\Program Files\SinEspias\No-Spy.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.yahoo.com/
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121830780046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe




Activescan..................
Incident Status Location

Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2218.exe
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/emediacodec Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\simpole.tlb
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\Temp\h91746.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\WINDOWS\Temp\sa8F.exe




ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:01:20 PM 6/29/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{18C2B1ED-7635-92A8-5DB5-E71520573650} -> Adware.CoolWebSearch : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{4C928477-3A6D-F1DD-A78A-1F75F7C46F82} -> Adware.CoolWebSearch : Cleaned.
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned.
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld352B.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\1024\ld9B95.tmp -> Trojan.Small : Cleaned.
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned.


::Report end

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 01 July 2006 - 05:22 AM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

#5 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 02 July 2006 - 02:31 PM

Here is my report from SmitfraudFix

SmitFraudFix v2.65

Scan done at 14:28:29.18, Sun 07/02/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !

C:\Documents and Settings\Owner\Application

Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

SharedTaskScheduler]
"{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged"

[HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcS

erver32]
@="C:\WINDOWS\system32\ofcukiz.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c85

5791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"


Scanning wininet.dll infection


End

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2006 - 05:35 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

#7 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 02 July 2006 - 09:28 PM

Here is the second report from SmitfraudFix after the clean.


SmitFraudFix v2.65

Scan done at 21:11:14.71, Sun 07/02/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged"

[HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\ofcukiz.dll -> Missing File


Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 July 2006 - 09:49 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\Temp\h91746.exe
    c:\windows\downloaded program files\gdnUS2218.exe
    c:\documents and settings\all users\favorites\Download Free Spyware Remover.url


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Open Killbox again and Click Tools--> Delete Temp Files

Delete all temp files for every user name that killbox list.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 03 July 2006 - 07:45 AM

F-Secure report

Result: 48 malware found
Backdoor.Win32.Agent.rw (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A4E6905.EXE (Renamed & Submitted)
Exploit.HTML.Mht (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\154060AF.HTM (Renamed & Submitted)
Exploit.VBS.Phel.a (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\264F27EA.HTM (Renamed & Submitted)
Packed.Win32.Tibs (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4EF41EF1.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\594C44D7.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\68942FB2.EXE (Submitted)
Trojan-Downloader.JS.IstBar.k (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\1DC657B9.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\46F2720A.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\470343F8.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\472367D4.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\474735AD.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\512052D7.HTM (Renamed & Submitted)
Trojan-Downloader.VBS.Psyme.at (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3D8D36D0.HTA (Renamed & Submitted)
Trojan-Downloader.Win32.Agent.alf (virus)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.5\GDNUS2218.EXE (Renamed & Submitted)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.4\GDNUS2218.EXE (Renamed)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.3\GDNUS2218.EXE (Renamed)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.2\GDNUS2218.EXE (Renamed)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\GDNUS2218.EXE (Renamed)
C:\!KILLBOX\GDNUS2218.EXE (Renamed)
Trojan-Downloader.Win32.Agent.uj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A104B4A.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.IstBar.gen (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\34A56707 (Renamed & Submitted)
Trojan-Downloader.Win32.IstBar.jm (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\34A81103 (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\6ECE15E1 (Renamed & Submitted)
Trojan-Downloader.Win32.Obfuscated.n (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A9E3B0F.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4AA50F07.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\54156CA4.EXE (Renamed & Submitted)
C:\!KILLBOX\H91746.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.byj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\04856FE5.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.dam (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\0B2E2F32.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.aan (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3A634961.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.aeq (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\5470043F.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.WinShow.z (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\59AD3AED.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\64DB0F27.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\653D76EB.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Zlob.sh (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\753478B9.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Zlob.sm (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A2162F7.EXE (Renamed & Submitted)
Trojan-Dropper.VBS.Inor.cj (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\64D8652A.HTA (Renamed & Submitted)
Trojan.Win32.Agent.bi (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\64CE6735.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\64D43B2E.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\64D8652A.EXE (Renamed & Submitted)
Trojan.Win32.DNSChanger.bh (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7F4C3DA0.EXE (Renamed & Submitted)
Trojan.Win32.Dialer.iz (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\58E2643C.EXE (Renamed & Submitted)
Trojan.Win32.Favadd.an (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4A2A1B2D.EXE (Renamed & Submitted)
Trojan.Win32.Small.gq (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\3D8A0CD4.EXE (Renamed & Submitted)
Worm.Win32.VB.an (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\00AE0228.EXE (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\663F7033.EXE (Renamed & Submitted)
not-virus:Hoax.Win32.Renos.dk (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\18BF62D0.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\7226234D.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32839
System: 5311
Not scanned: 19
Actions:
Disinfected: 0
Renamed: 43
Deleted: 0
None: 5
Submitted: 43
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLQ828026$\WMPCORE.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\VBAJET32.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\RPCRT4.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\WKSSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB826942$\DHCPCSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB826942$\WZCDLG.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
C:\WINDOWS\$NTUNINSTALLKB826939$\SHELL32.DLL
C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-01
F-Secure Libra: 2.4.1, 2006-06-30
F-Secure Orion: 1.2.37, 2006-06-30
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-05-13
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2006 - 08:14 AM

Better results than I expected! :thumbsup:


Navigate to the Norton Quarantine folder and remove everything

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE


To double check,Open Norton Antivirus and Click Reports

Beside Quarantined Items,Click View Reports.

When the next window opens,clear out anything under Quarantined Items or Backup Items.


Now,lets see what F-Secure renamed all those downloaded program files to so we can remove them.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#11 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  

Posted 03 July 2006 - 10:16 AM

KASPERSKY ONLINE SCANNER REPORT
Monday, July 03, 2006 10:14:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/07/2006
Kaspersky Anti-Virus database records: 204422


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 84057
Number of viruses found 42
Number of infected objects 174 / 0
Number of suspicious objects 0
Duration of the scan process 01:21:09

Infected Object Name Virus Name Last Action
C:\!KillBox\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\!KillBox\H91746.0XE Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-07-03_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Program Files\BearShare\Installer\BSINSTALL.exe WiseSFX: infected - 3 skipped

C:\Program Files\BearShare\Installer\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0362NAV~.TMP Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0743NAV~.TMP Object is locked skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc10.0XE Infected: Worm.Win32.VB.an skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc102.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc103.0TM Infected: Exploit.VBS.Phel.a skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc105.bmp Infected: Trojan-Downloader.Win32.Agent.bq skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc108.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc11.0XE Infected: Trojan-Downloader.Win32.Small.dam skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc110.exe Infected: Packed.Win32.Tibs skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc112.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc113.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc115.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc116.0XE Infected: Trojan-Downloader.Win32.WinShow.z skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc117.0XE Infected: Worm.Win32.VB.an skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc119 Infected: not-a-virus:AdWare.Win32.SBSoft.h skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc12.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc121.0XE Infected: Trojan-Downloader.Win32.Small.byj skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc122.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc122.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc122.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc122.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc122.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc126.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc127.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc128.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc130.0XE Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc131.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc132.exe Infected: Packed.Win32.Tibs skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc133.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc134.0TM Infected: Exploit.HTML.Mht skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc135.wmf Infected: Exploit.Win32.IMG-WMF.v skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc136.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc137.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc139.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc140.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc141.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc142.bmp Infected: Trojan-Dropper.Win32.Small.tn skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc143.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc144.0XE Infected: Trojan-Downloader.Win32.Zlob.sh skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc145.tmp Infected: Trojan-Downloader.Win32.Zlob.sm skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc146.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc147.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc147.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc147.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc147.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc147.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc148.0XE Infected: Trojan-Downloader.Win32.VB.aeq skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc150.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc151.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc151.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc151.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc151.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc151.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc152.exe Infected: not-a-virus:Downloader.Win32.Agent.c skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc153.jpg Infected: Trojan-Downloader.Win32.Small.bns skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc16.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc17.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc18.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc19.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc20.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc20.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc20.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc20.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc20.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc21.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc22.exe Infected: not-a-virus:AdWare.Win32.BHO.ah skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc23.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc24.0XE Infected: Trojan-Downloader.Win32.VB.aan skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc25.0XE Infected: Trojan.Win32.Small.gq skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc26.idf Infected: Trojan-Clicker.Win32.Small.js skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc27.0TA Infected: Trojan-Downloader.VBS.Psyme.at skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc28.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc28.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc28.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc28.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc28.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc29.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc30.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc32.0XE Infected: Trojan.Win32.Favadd.an skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc33.0XE Infected: Backdoor.Win32.Agent.rw skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc34.0XE Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc35.0XE Infected: Trojan-Downloader.Win32.Agent.uj skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc36.0XE Infected: Trojan-Downloader.Win32.Zlob.sm skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc37.tmp Infected: Trojan-Downloader.Win32.Zlob.sh skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc38.0XE Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc39.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc40.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc41.exe Infected: Packed.Win32.Tibs skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc43.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc45.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc46.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc47.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc52.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc52.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc52.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc52.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc52.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc53.0 Infected: Trojan-Downloader.Win32.IstBar.jm skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc55.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc57.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc57.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc57.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc57.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc57.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc58.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc58.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc58.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc58.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc58.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc59.0XE Infected: Trojan.Win32.DNSChanger.bh skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc60.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc64/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc64/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc64 NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc64 CryptFF: infected - 2 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc65.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc66.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc68.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc70.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc73.0 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc74.0 Infected: Trojan-Downloader.Win32.IstBar.jm skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc75.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc76.0TM Infected: Trojan-Downloader.JS.IstBar.k skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc77.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc79.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc79.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc79.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc79.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc79.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc80.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc81.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc82.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc82.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc82.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc82.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc82.jar CryptFF: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc83.0XE Infected: Trojan.Win32.Dialer.iz skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc84.0XE Infected: Trojan-Downloader.Win32.WinShow.z skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc85.0XE Infected: Trojan.Win32.Agent.bi skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc86.0XE Infected: Trojan.Win32.Agent.bi skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc87.0TA Infected: Trojan-Dropper.VBS.Inor.cj skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc88.0XE Infected: Trojan.Win32.Agent.bi skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc89.0XE Infected: Trojan-Downloader.Win32.WinShow.z skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc9.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc90.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc93.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc94.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc95.tmp Infected: Net-Worm.Win32.Mytob.ba skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc96.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc97.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc97.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc97.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc97.jar ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-1496314128-1417674827-1263811847-1003\Dc97.jar CryptFF: infected - 3 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP27\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped

C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\GDNUS2218.0XE Infected: Trojan-Downloader.Win32.Agent.alf skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 July 2006 - 10:51 AM

You can use Killbox and Delete all these with just "Standard File Kill"


C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\Documents and Settings\Owner\My Documents\Programs\BSINSTALL.exe
C:\Documents and Settings\Owner\My Documents\BSINSTALL.exe
C:\Program Files\BearShare\Installer\BSINSTALL.exe



After that,delete this folder manually--> C:\!KillBox


Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#13 tiren99

tiren99
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 05 July 2006 - 02:30 PM

WOW......everything seems to be good and I feel I have a pretty good peace of mind that my computer is pretty clean. I really appreciate all your help and your quick responsed and help.

Thank you again Cretemonster.

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 July 2006 - 02:47 PM

Good Deal,Im glad to hear the PC is being more User Friendly! :thumbsup: :flowers:


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :huh:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users